August 17, 2018

August 16, 2018

Subscribe to Latest Legal News and Analysis

August 15, 2018

Subscribe to Latest Legal News and Analysis

August 14, 2018

Subscribe to Latest Legal News and Analysis

OCR Warns Providers About Securely Disposing Electronic Devices

The July 2018 cyber security newsletter issued by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) reminds health care providers and their business associates of the importance of properly disposing and destroying electronic devices and/or media that are no longer needed or that will be repurposed.  The HIPAA Security Rule requires covered entities and business associates to have policies and procedures in place that govern that proper disposal and re-use of hardware and electronic media that contains electronic protected health information (“ePHI”).

OCR recommends that covered entities and business associates do the following for electronic devices or data that contain ePHI: decide what methods are appropriate for disposing of hardware, software, or data itself; document such methods; make sure that ePHI is actually destroyed or securely removed from the devices or media; and identify and remove any removable media before destruction or reuse.

OCR previously issued guidance on how to properly and securely dispose of PHI.  If a covered entity or business associate follows this guidance, the PHI does not fall into the category of “unsecured” and thus, in case of a security incident, is not subject to HIPAA’s breach notification requirements.  For ePHI, OCR considers it to be securely disposed when the electronic media containing the ePHI has been “cleared, purged, or destroyed” in accordance with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization.

As electronic devices can store huge amounts of ePHI, providers must make sure that any ePHI contained on such devices is properly secured throughout the life cycle of the device.  While it is important that providers establish proper safeguards for protecting ePHI while the devices are in use, it is equally important that providers ensure that any ePHI is destroyed or removed from the device once it is no longer needed.

To read the full newsletter, click here.

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Sarah Beth S. Kuyers, Mintz Levin, nonprofit affiliation lawyer, health care systems attorney
Associate

Sarah Beth’s practice focuses on advising health care providers, PBMs, and laboratories on a variety of regulatory issues.

Prior to joining Mintz Levin, Sarah Beth worked as a law clerk with the health staff of the US Senate Committee on Finance, where she researched policy, regulations, and legislation regarding commercial insurance reform, health IT, Medicare, Medicaid, and the Affordable Care Act. She also drafted legislation.

In addition, Sarah Beth worked as a law clerk for a legal practice in Washington, DC. Her...

202.434.7453